FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
This article explains the working of the Threat Intelligence enrichment playbook - Get File Reputation.
Scope
FortiSOAR version 7.4.1 or prior.
Solution
The Enrichment Playbooks are part of the sample playbooks installed with each Threat intelligent connector.
Once the data ingestion and indicators extraction is completed, it triggers the multiple enrichment playbooks to check the reputation.
If the indicator type is 'File', trigger the 'File > <TI Tool Name> >Enrichment' playbook.
Currently, a few Threats Intelligent connectors check the reputation of the file by uploading the file to a third-party tool based on the connector configured in FortiSOAR, like Virus Total.
If the user does not want a playbook to upload the file to get its reputation, then it is necessary to disable the enrichment playbook from the respective connector's sample collection manually.
In the upcoming release of TI connectors, the users will get an option to select whether they want to check the reputation via File HASH or by uploading it to the server.
